Endpoint

5/4/2009
02:55 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Researchers Take Over Dangerous Botnet

Computer scientists at the University of California-Santa Barbara expose details of infamous botnet known for stealing financial data after temporarily wresting control of it

A group of researchers at the University of California-Santa Barbara boldly hijacked a notorious botnet known for stealing financial information and discovered that the botnet is even more dangerous than had been thought.

Researchers at the University of California at Santa Barbara have published a report (PDF) that exposes details about how the infamous Torpig/Sinowal/Anserin botnet operates, its makeup, who it typically victimizes, and just what type of financial data it's stealing. The researchers seized control of the botnet for 10 days in late January, after which Torpig's operators reclaimed it.

"Torpig provided a unique opportunity to understand a live botnet. Most of the time, researchers only gain access to offline data, [such as] through a dropzone server that may be years old, while the data that we received was in real-time," says Brett Stone-Gross, one of the UCSB researchers.

While big-name botnets, like the former Storm, are best-known for their widespread spam runs and often dismissed as more of annoyance, it's the smaller, more stealthy botnets like Torpig that can pose real dangers. Torpig is a specialized mini-botnet -- a smaller and less conspicuous army that targets organizations and users to steal bank account information or other valuable personal information.

Torpig has been a hot subject for researchers for some time: RSA last October revealed that the so-called Sinowal Trojan, a.k.a. Torpig and Mebroot, had been stealing data for about three years, and had successfully swiped 300,000 online bank accounts, credit and debit card accounts, and an unknown number of email and FTP accounts. The botnet's malware "may be one of the most pervasive and advanced pieces of crimeware ever created by fraudsters," researchers say.

Wresting Control
Torpig initially infects users via drive-by download attacks. Once a machine is infected, Torpig can unleash sneaky phishing attacks that generate phony but chillingly convincing-looking Web pages and forms that lure the user into giving up his credentials.

"These phishing attacks are very difficult to detect, even for attentive users. In fact, the injected content carefully reproduces the style and look-and-feel of the target Web site," the UCSD researchers wrote in their report. "Furthermore, the injection mechanism defies all phishing indicators included in modern browsers. For example, the SSL configuration appears correct, and so does the URL displayed in the address bar."

The Websites most commonly infected with Torpig? Pornography-oriented ones, Stone-Gross says.

The UCSB researchers say they wrested control of Torpig by turning the tables on the botnet's own advanced architecture: a system called domain flux, which rotates domain names, typically pointing to a single IP address. It's a distant cousin of fast-flux hosting, which uses a single domain name that maps to multiple IP addresses that rotate in a round-robin fashion to evade detection. "We registered the domain names before the infected machines were programmed to contact them. The botnet controllers had only registered a couple of the domains in advance," Stone-Gross says.

Stone-Gross and his colleagues then gained control of Torpig's C&C server (Mebroot has its own C&C server that can update the Torpig binary code). The botnet operators regained control of the botnet after Mebroot's controllers updated the Torpig binary. "As a result, the infected machines were redirected to different domains that we did not own," he says.

But the UCSB researchers were able to collect some 70 gigabytes of data during the 10 days they controlled the botnet, which they estimate was at about 182,914 machines. During that time, Torpig stole banking credentials of 8,310 accounts from more than 400 different financial institutions -- namely PayPal (1,770 accounts), Poste Italiane (765), Capital One (314), E-Trade (304), and Chase (217).

They also saw a large number of businesses with relatively small numbers of Torpig bots; 310 companies had 10 or fewer bots. But most of the bots were aimed at consumers. "The majority of victims are home users," Stone-Gross says.

Torpig also goes after browsing data of the victims for potential identity theft or other nefarious purposes, according to the researchers.

The researchers counted 1,660 different stolen credit and debit card accounts, 49 percent of which belonged to victims in the U.S., 12 percent from Italy, and 8 percent from Spain. Of the cards, 1,056 were Visa cards; 447, MasterCard; 81, American Express; 36, Maestro; and 24, Discover. In one case, the botnet stole 30 credit card numbers from a single victim, who turned out to be an agent for an at-home distributed call center.

"It seems that the card numbers were those of customers of the company that the agent was working for, and they were being entered into the call center's central database for order processing," according to the UCSB report.

Next: Are researchers tipping their hand? Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Russia Hacked Clinton's Computers Five Hours After Trump's Call
Robert Lemos, Technology Journalist/Data Researcher,  4/19/2019
Tips for the Aftermath of a Cyberattack
Kelly Sheridan, Staff Editor, Dark Reading,  4/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-11378
PUBLISHED: 2019-04-20
An issue was discovered in ProjectSend r1053. upload-process-form.php allows finished_files[]=../ directory traversal. It is possible for users to read arbitrary files and (potentially) access the supporting database, delete arbitrary files, access user passwords, or run arbitrary code.
CVE-2019-11372
PUBLISHED: 2019-04-20
An out-of-bounds read in MediaInfoLib::File__Tags_Helper::Synched_Test in Tag/File__Tags.cpp in MediaInfoLib in MediaArea MediaInfo 18.12 leads to a crash.
CVE-2019-11373
PUBLISHED: 2019-04-20
An out-of-bounds read in File__Analyze::Get_L8 in File__Analyze_Buffer.cpp in MediaInfoLib in MediaArea MediaInfo 18.12 leads to a crash.
CVE-2019-11374
PUBLISHED: 2019-04-20
74CMS v5.0.1 has a CSRF vulnerability to add a new admin user via the index.php?m=Admin&c=admin&a=add URI.
CVE-2019-11375
PUBLISHED: 2019-04-20
Msvod v10 has a CSRF vulnerability to change user information via the admin/member/edit.html URI.